From 3df65fc8eae142b59f6b17ab8147630accb017cc Mon Sep 17 00:00:00 2001 From: Alfonso Acosta Date: Tue, 23 Apr 2019 17:40:29 +0100 Subject: [PATCH 1/4] Fix insecure-host-checking for repos with an explicit port Before this change we included the repository port when comparing against the list of insecure hosts. --- registry/client_factory.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/registry/client_factory.go b/registry/client_factory.go index 53b7acca2..a7ac0faa0 100644 --- a/registry/client_factory.go +++ b/registry/client_factory.go @@ -3,6 +3,7 @@ package registry import ( "context" "crypto/tls" + "net" "net/http" "net/url" "sync" @@ -92,9 +93,13 @@ attemptChallenge: } func (f *RemoteClientFactory) ClientFor(repo image.CanonicalName, creds Credentials) (Client, error) { + repoHost, _, err := net.SplitHostPort(repo.Domain) + if err != nil { + return nil, err + } insecure := false for _, h := range f.InsecureHosts { - if repo.Domain == h { + if repoHost == h { insecure = true break } From 27ac38b7302711332c44d538baad382c4fd2a481 Mon Sep 17 00:00:00 2001 From: Alfonso Acosta Date: Tue, 23 Apr 2019 17:52:31 +0100 Subject: [PATCH 2/4] Also allow providing the port --- registry/client_factory.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/registry/client_factory.go b/registry/client_factory.go index a7ac0faa0..13b07fb7d 100644 --- a/registry/client_factory.go +++ b/registry/client_factory.go @@ -99,7 +99,8 @@ func (f *RemoteClientFactory) ClientFor(repo image.CanonicalName, creds Credenti } insecure := false for _, h := range f.InsecureHosts { - if repoHost == h { + if repoHost == h || repo.Domain == h { + // allow host with out without the port in the insecure hosts list insecure = true break } From 9e471d3d6e25a469d3964f192f168649791b2527 Mon Sep 17 00:00:00 2001 From: Alfonso Acosta Date: Wed, 24 Apr 2019 10:30:50 +0100 Subject: [PATCH 3/4] Improve comment phrasing --- registry/client_factory.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/registry/client_factory.go b/registry/client_factory.go index 13b07fb7d..af2925b6d 100644 --- a/registry/client_factory.go +++ b/registry/client_factory.go @@ -99,8 +99,8 @@ func (f *RemoteClientFactory) ClientFor(repo image.CanonicalName, creds Credenti } insecure := false for _, h := range f.InsecureHosts { + // allow the insecure hosts list to contain hosts with or without the port if repoHost == h || repo.Domain == h { - // allow host with out without the port in the insecure hosts list insecure = true break } From acd39bb5d4ba9a4c9604559f43123b512e8c2af6 Mon Sep 17 00:00:00 2001 From: Alfonso Acosta Date: Wed, 24 Apr 2019 10:51:55 +0100 Subject: [PATCH 4/4] Handle SplitHostPort errors --- registry/client_factory.go | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/registry/client_factory.go b/registry/client_factory.go index af2925b6d..12265298d 100644 --- a/registry/client_factory.go +++ b/registry/client_factory.go @@ -93,16 +93,21 @@ attemptChallenge: } func (f *RemoteClientFactory) ClientFor(repo image.CanonicalName, creds Credentials) (Client, error) { - repoHost, _, err := net.SplitHostPort(repo.Domain) - if err != nil { - return nil, err + repoHosts := []string{repo.Domain} + // allow the insecure hosts list to contain hosts with or without the port + repoHostWithoutPort, _, err := net.SplitHostPort(repo.Domain) + if err == nil { + // parsing fails if no port is present + repoHosts = append(repoHosts, repoHostWithoutPort) } insecure := false +insecureCheckLoop: for _, h := range f.InsecureHosts { - // allow the insecure hosts list to contain hosts with or without the port - if repoHost == h || repo.Domain == h { - insecure = true - break + for _, repoHost := range repoHosts { + if h == repoHost { + insecure = true + break insecureCheckLoop + } } }